Rclone obscure password, what does it do?

the documentation is not too detailed.
Obscure password for use in the rclone.conf


I believe it's just a "reversible hash" algorithm that hides the password so it does not have to be stored in plain-text. Yes - I know that "reversible hash" is an oxymoron. I guess it's just a plan old scrambling algorithm technically...

It's not much of a security - being reversible- but it does make a password less obvious at least - and it would be a lot easier to hide it among other data if you were so inclined - and to hide it from casual data-leaks.

rclone expect the passwords to be stored in that way, so if you wanted to manually add a password you'd have to run it through that obscure function before pasting it in. It would be useful if you wanted to programmatically create configs outside of rclone maybe? Can't say I've actually had a need to use it yet.

That's about the extent of what I know about it.

1 Like

thanks for trying but.

if anybody know what this command does, please share.

You wound me :confused: ...

If that's not a sufficient answer, why don't you specify what you are after?
rclone obscure mypersonalpassphrase
output: encrypted password (same format as config file expects)

technical specs of the algorithm?
That's here, and it's not that complicated for someone who knows some scripting like yourself:

From the code the only correction I have to make to the above is that it is actually being AES encrypted, just using a hardcoded key. But that is pretty much a technicality. The key takeaway is that it's easy to do one way (rclone obscure) but not trivial to do the other way (you would at minimum need to modify the sourcecode to expose the reveal function).

rclone stores the original password encrypted in the config (usually as part of the rclone config setup), then decrypts it to memory when it reads it back.

rclone obscure is just the "encrypt the password" part of the rclone config routine in case you need to do that directly without going through the whole config again.

Note that (I assume due to salting) you can encrypt the same password and get many different outputs, but they should all be valid. I did a quick test just to verify.


Passwords are stored "obscured" in the config file to prevent eyedropping (like eavesdropping but for eyes).

To turn your password into an obscured version suitable for the config file you use

$ rclone obscure password

You can then use this in the config file or the command line, eg

rclone lsf --sftp-host myhost --sftp-user me --sftp-pass qA1PiJ7nsUbHwXbKUhvAM_7Z7xlBa_Dp :sftp:
1 Like


it obscures text and i guess it is somewhat useful.

  1. i can still use the obscured password and write new rclone commands to access the sftp server.
  2. that password is part of the command line and is visible in task manager, and other such tools.

Yea, anyone could steal it with copypaste.
And anyone who knows how to code could figure out to decrypt it with a little work since it's in the sourcecode.

So it's not security in itself. It's just less trivially obvious from casual observation. Especially if your original key is a a "humanized" passphrase that is easy to parse in ones head. Then you'd rather it be stored as some cryptic nonsense and thus harder to pick up.
It also does give you some level of protection if you are using the password elsewhere (like a lot of users unfortunately do), because it's not obvious what the original passphrase was from looking at the obscured value.

how can a mere mortal monkeyman wound a demon?
inquiring minds want to know?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.